[Openid-specs-fapi] Fwd: New specs for Hashlink and HTTP Signatures released

Anders Rundgren anders.rundgren.net at gmail.com
Sun May 5 20:27:16 UTC 2019 

Interesting about ETSI.
They are though fairly late to the party.

cheers
Anders

On Sun, 5 May 2019, 22:05 Ralph Bragg, <ralph.bragg at raidiam.com> wrote:

> Hi,
>
>
>
> Please see attached the communication from ETSI regarding choices of
> standards that have been adopted by the standards bodies specifically
> highlighting some concerns with HTTP Signature.
>
> Firstly, ETSI ESI has become aware that some PSD2 API standards
> communities are considering adoption of the Internet Draft standard for
> HTTP Signatures (
> https://tools.ietf.org/html/draft-cavage-http-signatures-10). It should
> be noted that:
>
>    1. HTTP Signature has status draft only and has not necessarily
>    undergone full review by cryptographic experts concerning possible
>    vulnerabilities inherent to that format
>    2. It makes no direct provision for preventing certificate
>    substitution attacks and can consequently be vulnerable such attacks (cf.
>    RFC 5035, https://tools.ietf.org/rfcmarkup/5035 - Enhanced Security
>    Services for S/MIME)
>
> ETSI ESI has published a set of standards, commonly referred to a CAdES
> and XAdES for digital signatures applied to binary or XML data formats,
> which support signing arbitrary content even for signatures detached from
> the data being protected (reference: EN 319 122 and EN 319 132
> respectively) which could be used for PSD2 APIs. Also the ETSI PAdES (EN
> 319 142) standard can be used for signing PDF documents. These mature
> standards provide protection against known risks, can be used to assure the
> evidential value of the signatures over the long term and are the accepted
> formats for advanced electronic signatures and seals under the eIDAS
> regulation 910/2014.
>
> *ETSI is also working on an equivalent standard digital signature format
> to apply signatures to JSON data structures. This builds on the existing
> IETF RFC 7515 standard for JSON Web Signatures. *
>
> Cheers,
>
> Ralph
>
>
>
> *From: *Openid-specs-fapi <openid-specs-fapi-bounces at lists.openid.net> on
> behalf of Anders Rundgren via Openid-specs-fapi <
> Openid-specs-fapi at lists.openid.net>
> *Reply-To: *Financial API Working Group List <
> Openid-specs-fapi at lists.openid.net>
> *Date: *Sunday, 5 May 2019 at 20:42
> *To: *Financial API Working Group List <Openid-specs-fapi at lists.openid.net
> >
> *Cc: *Anders Rundgren <anders.rundgren.net at gmail.com>
> *Subject: *[Openid-specs-fapi] Fwd: New specs for Hashlink and HTTP
> Signatures released
>
>
>
> F.Y.I
>
> ---------- Forwarded message ---------
> From:*Manu Sporny* <msporny at digitalbazaar.com>
> Date: Sun, 5 May 2019, 20:34
> Subject: New specs for Hashlink and HTTP Signatures released
> To: W3C Credentials CG <public-credentials at w3.org>
>
>
>
> Hi all,
>
> New specs have been published for Hashlink:
>
> https://tools.ietf.org/html/draft-sporny-hashlink-03
>
> ... and for HTTP Signatures:
>
> https://tools.ietf.org/html/draft-cavage-http-signatures-11
>
> Some highlights from the most recent specs:
>
> HTTP Signatures
>  * 25 implementations! (no, that is not a typo)
>  * Used by PSD2, Berlin Group, and STeT (European banking standards)
>  * Used for banking standards in Europe, OCAP-LD, HTTP-based DID Auth
>    Secure Data Hub authz (spec on its way in Summer 2019)
>  * We are putting together a test suite in order to do real interop
>    testing for the 25 existing implementations.
>
> Hashlink
>  * We failed to specify that arbitrary metadata is possible, this
>    version fixes that.
>  * Added Security Considerations section wrt. DO NOT use MD5/SHA-1, etc.
>
> These are a few of our building block specs for some of the technologies
> being worked on by the CCG.
>
> -- manu
>
> --
> Manu Sporny (skype: msporny, twitter: manusporny)
> Founder/CEO - Digital Bazaar, Inc.
> blog: Veres One Decentralized Identifier Blockchain Launches
> https://tinyurl.com/veres-one-launches
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20190505/4b2e492b/attachment.html>

More information about the Openid-specs-fapi mailing list